www.thalesgroup.comOPEN
Building an APT Rosetta Stone
Using OSINT to Group APT Names
Ben Doyle Thales CISO – Asia Pacific
2OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Vulnerability Headlines
3OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Branded Vulnerabilities
4OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
APT Headlines
5OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
What are we to think?
Image Source: http://www.techweekeurope.co.uk
6OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
We need Context
7OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
APT Naming Schemes
▌ Crowdstrike
Animal Espionage Based on Country (Deep Panda, Fancy Bear, Comment Panda, Cutting
Kitten, Viceroy Tiger)
Cyber Crime based Groups use Spider (Pizzo Spider (DD4BC), Andromeda Spider)
Hactivist based Groups use Jackal (Deadeye Jackal, Gekko Jackal (LizardSquad), Ghost Jackal)
▌ Kaspersky – Random (Dark Hotel, Epic Turla, CosmicDuke, Carbanak)
▌ Mandiant/FireEye – APT# (APT1, APT3, APT8, APT17, APT18, APT28, APT6, APT29, APT30)
▌ Cisco – Group# (Group72)
▌ Microsoft – Period table of Elements (Strontium, Platinum)
▌ Dell – TG-# (TG-2633, TG-0416, TG-3390)
8OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Mapping Process
▌ Using Paterva Casefile to manually map
attributes together
▌ Start with a decent sized report to allow for
a significant number of APT groups to be
mapped
▌ Each APT Name found:
Place in Paterva Casefile
Link to country of source if possible
Open browser and search for APT Name
Identify new intelligence in search results and
map to Casefile
Search again with new intelligence –
Rinse/Repeat
9OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
CaseFile Mapping
10OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
OSINT Research Outcome
My poor browser drowning under yet to analyse tab’s for the last 6 months
11OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
OSINT Rosetta Stone – So far…..
www.thalesgroup.com
OPEN
THALES GROUP INTERNAL
THALES GROUP CONFIDENTIAL
THALES GROUP SECRET
Findings so far
Note: The attributions to the countries of origins are based on third party published information. These attributions may not indicate support of the nation state unless specific published information by third parties have specified this.
13OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Chinese Origin
▌ There are some obvious well known
groups by the number of different APT
names they are known by.
▌ The amount of OSINT in this area can
cause problems in itself with mislinked
groups between vendors
14OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Chinese Origin
▌ Sometimes there
is not enough
OSINT to clearly
split APT Group
names with
overlapping
attributes or
mistaken
reported links
between groups
15OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Chinese Origin - Winnti
▌ Winnti group was very active in South Korea Gaming scene.
▌ They are known to use stolen code signing certificates in their malware
▌ Interestingly some of the certificates were used in other APT espionage
campaigns.
E.g.
Mgame Corp CodeSigning Certificate
(Part of FireEye:
From Quartermaster
to Sunshop report)
16OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Chinese Origin - Naikon
▌ Lotus Panda / MsnMM
▌ Focus is SE Asia countries
▌ Potential links to PLA Unit
78020
▌ Project Camerashy was
a large report published
by Kaspersky on Naikon
17OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Chinese Origin – Rosetta Stone
▌ APT1 (FireEye), Comment Panda (Crowdstrike), Shady Rat (McAfee), Comment Crew
▌ APT3 (FireEye), Gothic Panda (Crowdstrike), UPS
▌ APT8 (FireEye), Violin Panda (Crowdstrike), Nitro (Symantec)
▌ APT12 (FireEye), Numbered Panda (Crowdstrike), IXEHSE (TrendMicro), JOY Rat, DynCalc, DNSCALC
▌ APT17 (FireEye), Aurora Panda (Crowdstrike), DeputyDog, Hidden Lynx???? (Symantec)
▌ APT18 (FireEye), Dynamite Panda (Crowdstrike), TG-0416 (Dell)
▌ Lotus Panda (Crowdstrike), Naikon (Kaspersky), MsnMM
▌ Vixen Panda (Crowdstrike), Ke3change (FireEye), Mirage, Flea (Symantec)
▌ Deep Panda (Crowdstrike), ShellCrew (RSA), Blackvine (Symantec), WebMasters (Kaspersky), KungFu Kittens
(FireEye), SportsFans, Pupa, PinkPantha
▌ Axiom (Novetta), Group 72 (Cisco)
18OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Russian Origin – APT28 / Fancy Bear
▌ Does not appear to conduct wide spread intellectual property theft.
Mainly targeted information related to government interests
▌ Use Sofacy and
Sednit Malware
▌ Thought to be running
under the military
intelligence unit GRU
▌ Linked to recent US
Democratic National
Committee breach
19OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Russian Origin – Cozy Bear / APT 29
▌ Cozy Bear / APT29 / CozyDuke / CozyCar / Cozer / EuroAPT / Office Monkeys
▌ Thought to be working for Russia’s Federal Security Service (FSB)
▌ Also linked to
recent Democratic
National Committee
compromise.
▌ Known to “Live off
the land” using
PowerShell and WMI
for persistence.
20OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Russian Origin – Rosetta Stone
▌ APT28 (FireEye), Fancy Bear (Crowdstrike), TG-4127 (Dell Secureworks), Strontium (Microsoft), Pawnstorm
(TrendMicro), Tsar Team/Group (iSight Partners), Sednit
▌ APT29 (FireEye), Cozy Bear (Crowdstrike), Cozy Duke (F-Secure), CozyCar (Palo Alto?), Cozer, EuroAPT, Office
Monkeys
▌ Energetic Bear (Crowdstrike), Crouching Yeti (Kaspersky) , Koala Team, DragonFly (Symantec), Havex
▌ Venemous Bear (Crowdstrike), Uroburos, Oroborous, Epic Turla (Kaspersky), Snake (BAE)
21OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
What I have found along the way
▌ Re-discovering links from older campaigns
Uroburos/Venemous Bear/Snake were
responsible for the US DoD USB banning
▌ Understanding new links
North Korean Dark Seoul Malware and Iranian
Shamoon Armaco malware (sharing may be
due to technical agreement between the
nations)
▌ Threat intelligence is hard
Near impossible for an individual to do
Value is in understanding past actions, and
motivations, not just IOC’s
22OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
-©
Th
ale
s2
01
5 A
ll rig
hts
re
serv
ed
.
Contact me
▌Ben DoyleCISO Asia Pacific
https://www.linkedin.com/in/bendoylethales
Top Related